What’s on your cybersecurity watch-list for 2017? Phishing attacks, ransomware and malware are just a few areas that Liz C. suggests Spiceheads should be considering as priorities. Rather than tackling these individually, though, IT pros are looking to create an overall safer IT environment.

David Paul, aka dpaul, plans to focus on user training and doing his own internal pen testing, while John Nelson, aka john4865, plans to work on accountability (audit trails). “In a world where no network is completely secure, minimizing ‘time to detection and mitigation’ is going to be a focus,” he says.

Some IT pros plan to focus on passwords in the coming year — and they may have to start with their own practices. Citing a LastPass Sharing survey, which revealed 95 per cent of people share up to six passwords with others, and a Password Boss survey indicating that 59 per cent of respondents reuse passwords, Spicehead Haley asked the online community what password rules they are guilty of breaking.

Admissions of guilt poured in. Weak passwords, reusing passwords and sharing passwords were common violations. Some admitted to storing user passwords in the workplace with varying degrees of security.

Tim Hughes, aka Tim-H, disagrees with storing user passwords and sees no reason to do so. “If I need to help a user I can shadow a session. If they are unavailable to give me the current password if needed I just nuke the password and when done make them change it on first login.”

This sounds practical, but Brian Turner, aka MrTurner, points out that passwords are not easy to reset. “Sure technically they are. But on a practical level they have to be re-memorized and will result in a percentage of lost password tickets. Any such ticket will cost at least $10 and could cost a few hundred. And the more you reset a user’s password the weaker the new one tends to become.”

One of his goals is to drive down the cost of password resets, so he’s looking into business-class password managers that could help control workflow costs. He’s also testing out a password generator for users.

But rolling out proper policies and procedures can be difficult without management buy-in. Christopher, aka RebootsSolveProblems, relates the story of his firm’s general counsel, who said: “I won’t worry about getting hacked until after it happens.”

Spicehead Gabrielle Lafleur sees no problem with this, arguing that “it’s YOUR job to worry about it before it happens, not hers.” But Christopher feels that security is everybody’s job.

Bill Mack, aka Bill6324, weighs in: “It is part of my job to keep our network secure, and to do so without creating barriers to getting work done, or breaking the budget. … Any business, no matter large or small is looking to maximize productivity and maximize profits, which means minimizing impediments to workflow and minimizing expenses.”

IT, ultimately, is a cost centre, not a profit centre, so it’s up to the IT department to fight for the needed budget and to keep the network secure, he said, while considering any potential issues that may create policies too burdensome for the company and its employees.

“Sure, security is everyone’s job,” he said. “But it is your job to create, enforce and get management buy-in for the policies that secure your network — after all, that is what they pay you to do.”